1 of 100

KeeperPAM and Secrets Manager

KeeperPAM

KeeperPAM is a modern, cloud-based Privileged Access Manager

Overview

KeeperPAM is a next-gen privileged access management solution that secures and manages access to critical resources, including servers, web apps, databases and workloads.

KeeperPAM consolidates enterprise password management, secrets management, connection management, database management, endpoint privileged management, zero-trust network access, remote browser isolation and a cloud-based access control plane in one unified product.

Privileged Access Manager

Setup Steps

Accessing the KeeperPAM platform

Setup Steps

Follow the below steps to start using KeeperPAM.

Keeper Enterprise license

If you are not a Keeper customer or do not have the required license, you can from our website. The free trial includes KeeperPAM full capabilities.

Activate Privileged Access Manager

From the Keeper Admin Console, ensure that your Privileged Access Manager subscription is active. Go to the Admin Console > Subscriptions and activate the trial or contact your Keeper customer success manager.

Enable PAM Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies.

Existing Customers: Updating your Gateway

This assumes you are an existing customer with Keeper Secrets Manager and you have a Gateway already deployed. Using the latest Keeper Gateway is required to support the new features. Depending on the operating system, features available will differ.

New Customers: Create a new Gateway and Sandbox

Follow the step by step guide in the section of this documentation. A new is available to instantly create a sandbox for exploring some of the connection types.

Explore new features

Notes

PAM Features differ between Linux, Docker and Windows versions of the Keeper Gateway.
For a full range of features, use the Docker installation method, or Linux installation method on Rocky Linux or RHEL.
We recommend setting up a Keeper Gateway using the . This provides a customized Docker Compose file that provides an instant sandbox for testing.

Feedback

If you have any questions, please or email [email protected].

Quick Start: Sandbox

Quickly and easily get started with a pre-configured PAM setup in your vault

Quick Start Wizard

To learn some KeeperPAM basics, we have created a wizard that is integrated into the Vault. If you select the Docker install method, this wizard will create all the necessary vault records, configurations and a customized Docker Compose file for quickly standing up a sandbox demo environment in less than 2 minutes.

Getting Started

Getting Started with KeeperPAM fundamentals

The Basics

Architecture

KeeperPAM Features

Secrets Manager Features

Commander CLI Features

Enterprise Password Manager

Architecture

Technical details on the KeeperPAM platform architecture

Overview

KeeperPAM is a Zero-Knowledge platform, ensuring that encryption and decryption of secrets, connections, and tunnels occur locally on the end user's device through the Keeper Vault application. Access to resources in the vault is restricted to users with explicitly assigned permissions, enabling them to establish sessions or tunnels securely.

Keeper's zero-trust connection technology further enhances security by providing restricted and monitored access to target systems without direct connectivity, while never exposing underlying credentials or secrets.

This security content will cover the key areas of KeeperPAM:

Architecture Diagram

Keeper Password Rotation architecture diagram and data flow

Architecture Diagram

The KeeperPAM infrastructure and security model ensures zero-knowledge encryption between the end-user's device and the target infrastructure. Keeper's servers have no ability to decrypt or intercept the underlying sessions.

Keeper is designed for high availability, scalability, secure authorization, and robust disaster recovery. Hosted on Amazon Web Services (AWS), Keeper’s backend infrastructure is multi-region and multi-zone, ensuring redundancy across geographic locations. All core services are designed with high availability (HA) in mind, leveraging AWS best practices for fault tolerance and reliability. The system scales automatically to accommodate increased demand without compromising performance. Keeper's infrastructure supports millions of active users and devices.

On the customer side, the Keeper vault is deployed to users for all PAM access. The vault communicates with the Keeper backend APIs for establishing connections to resources. Keeper's zero-knowledge APIs ensure that Keeper's backend systems do not have the ability to decrypt any stored customer data. Encryption and decryption of data is always performed locally on the device.

Keeper Secrets Manager and Keeper Gateway Devices are responsible for performing secret retrieval, credential rotation, resource discovery and privileged session proxying to the customer's local or cloud environment. These devices communicate directly with the Keeper cloud APIs for the management of state, encrypted data storage, audit event logging and session recording. Since these devices are not responsible for the management of data, Keeper's architecture allows the customer environments to scale automatically without any specific hosting requirements on the customer side.

When a customer installs a Keeper Gateway or Keeper Secrets Manager device, it is typically deployed as a Docker container. Customers can use their preferred container orchestration platform such as Kubernetes, Docker Swarm, or Amazon ECS to manage deployment, enable scaling, and provide the necessary levels of local device redundancy.

Multiple Keeper Gateways can also be assigned to the same resources and folders in the Keeper vault in order to establish physical redundancy.

Components

Keeper Gateway

The Keeper Gateway is a service which is installed into the customer's environment and communicates outbound to Keeper services. The Gateway performs the rotation, discovery and connections to assets on the network. The Gateway receives commands from the Keeper Router, then uses Keeper Secrets Manager APIs to authenticate, communicate and decrypt data from the Keeper cloud.

Keeper Router

The Keeper Router is infrastructure in Keeper's cloud that manages connections between Keeper and Rotation Gateways. The Cloud Router provides real-time messaging and communication between the Keeper Vault, customer gateway and Keeper backend services.

Keeper Relay

The Keeper Relay is infrastructure in Keeper's cloud that is responsible for establishing encrypted connections between the end-user vault interface and the customer-hosted Keeper Gateway service.

Keeper Backend API

Keeper's Backend API is the endpoint which all Keeper client applications communicate with. Client applications encrypt data locally and transmit encrypted ciphertext to the API in a format.

Scheduler

Keeper hosted infrastructure that manages timing and logistics around scheduled rotation of credentials across the target infrastructure.

Admin Console and Control Plane

The Management console used to set and enforce policies across all Keeper components.

Client Applications

The end-user interface for managing the vault, rotating passwords, running discovery jobs, creating connections and managing tunnels.

Data Flow

Keeper user performs action (rotation, connection, tunneling, discovery) from the Vault interface, Admin Console, Commander CLI or other endpoint application.
Keeper Gateway establishes an outbound WebSocket connection to the Keeper Router, receives the requests to perform the action.
The Vault Client application establishes a WebRTC connection to the customer's hosted Keeper Gateway.

Vault Security

Security and encryption model of the Keeper Vault

Keeper's platform is built with End-to-End Encryption (E2EE) across all devices and endpoints.

Data stored in the platform is encrypted locally and encrypted in transit between the user's devices
Information exchanged between Keeper users is encrypted from vault-to-vault
Data at rest is encrypted with multiple layers, starting with AES-256 encryption at the record level
Data in transit is encrypted with TLS and additional layers of transmission encryption which protects against access MITM, service providers and untrusted networks.

A full and detailed disclosure of all encryption related to data at rest, data in transit, cloud architecture and certifications can be found on the .

A video covering this model is below.

Connection and Tunnel Security

Security and encryption model of Connections and Tunnels

Overview

KeeperPAM provides the capability to establish cloud and on-prem privileged sessions, create tunnels, establish direct infrastructure access and secure remote database access.

Record Linking

KeeperPAM migration of records to new linked format

Overview

As part of the KeeperPAM product launch, newly created resources in the Keeper Vault—such as PAM Machines, PAM Directories, and PAM Databases—will no longer support embedding credentials directly within the resource. Instead, KeeperPAM now utilizes Record Linking, where the credential record is securely linked to the resource. This approach ensures a clear separation of encryption and permissions between the resource and its associated credentials.

With Record Linking, resources can be shared with users without exposing the underlying credentials, enhancing both security and access control.

Conversion

For customers currently using Keeper Secrets Manager with rotation capabilities, if a credential is embedded directly in a resource, a new section will appear when editing the record. This section will display the message:

"We moved your rotating credentials down below. Please convert these credentials into a PAM User record type."

This update guides users to transition their rotating credentials into the more secure PAM User record type for enhanced security and proper separation of credentials from resources.

By clicking "Convert Now", you'll be asked to confirm the change and the credentials will be separated from the resource and placed in the same folder.

Click "Next" to finish the conversion. After this is completed, a new record in the same folder will contain the linked credential.

Once the resource has been split, PAM capabilities including connections, tunnels and rotations can be enabled.

Applications

Secrets Manager Applications with KeeperPAM

What's an Application?

A Secrets Manager Application allows a machine or device to communicate with the Keeper vault, retrieve assigned records and decrypt the data.

Folders are shared to the application, similar to how users are folders are shared to users. This gives the application the capability of accessing and decrypting the records in the folder.

Devices

Keeper Secrets Manager Devices with KeeperPAM

What's a Device?

A Device can be any machine, application or endpoint that has the ability to communicate with the Keeper platform, authenticate and decrypt data that has been provisioned.

Applications have any number of devices associated. Each device has a unique identifier so that it can be tightly controlled and managed. Devices authenticate and decrypt data using a API and encryption model as defined in the Keeper Secrets Manager Security & Encryption model page.

Sharing Gateways

Sharing the Keeper Gateway with other admins

Overview

Keeper Gateways are essential when configuring PAM features such as rotation and connections on PAM resources. Keeper provides KSM Application Sharing from the vault UI and Keeper Commander CLI.

Alerts and SIEM Integration

Monitoring Gateway events and integrating with your SIEM

Overview

KeeperPAM supports integration with your SIEM provider to provide real-time event logging and monitoring of all privileged access management activity. In the Keeper Admin Console, alerts can also be configured based on any event.

For more information on activating SIEM integration from the Keeper Enterprise guide:

Features

Push over 200 different event types to any connected SIEM provider
Send alerts to email, SMS, Webhook, Slack or Microsoft Teams on any event trigger
Run custom reports from the Keeper Admin Console or CLI

KeeperPAM Events

Events related to KeeperPAM include:

Starting and stopping sessions, tunnels, remote browser isolation
Gateway lifecycle (online, offline, added/removed)
Connection lifecycle (creation, editing and deleting PAM resources)

Recommended Alerts

As a KeeperPAM administrator, it is useful to receive alerts related to Gateway actions, such as when a Gateway goes offline (in case of server outage or system restart).

From the Admin Console, go to Reporting & Alerts > Alerts > select Event Types and set the recipient information.

Event alert details will include the name and UID of the affected Keeper gateway.

Email alerts contain event information

Integrations

Keeper integrates with ITSM platforms for realtime ticket creation, alerting and incident response.

Advanced Configuration

Advanced Keeper Gateway Configurations

Overview

This section will cover additional configurations to modify the Keeper Gateway's default behavior.

Advanced Configurations

Password Rotation

Keeper password rotation capabilities with Keeper Secrets Manager

Overview

KeeperPAM Password Rotation enables customers to securely and automatically rotate credentials across cloud-based and on-premises environments, including Active Directory accounts, Windows and Linux users, database passwords, Azure IAM accounts, AWS accounts, Google Workspace accounts, SSH keys, and more. Adhering to Keeper’s Zero Trust and Zero Knowledge security model, this feature helps organizations mitigate risks associated with weak, reused, or long-standing credentials, as well as threats such as breaches, terminations, and dark web exposure.

Local Network

Password Rotation in the Local Network Environment

Overview

In this section, you will learn how to rotate user credentials within a Local Network environment across various target systems.

A "local network" simply means any resource that has line of sight access from the Keeper Gateway. This configuration can be used in any cloud or managed environment. Native protocols are used to communicate to the target resources and perform rotations.

Setup Steps

At a high level, the following steps are needed to successfully rotate passwords on a network:

Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records representing each resource
Create PAM User records that contain the necessary account credentials for each resource

Use Cases

Database

DB credential Rotation in the Local Environment

In this section, you will learn how to rotate database user credentials within your local network.

Databases Supported

Azure Managed Database

Rotate Azure Managed Database credentials with Keeper

In this section, you will learn how to rotate DB User or Admin credentials on the following Azure Managed Databases:

Azure Client Secret Rotation

Automatically rotate the secret of an Azure app using Keeper rotation

Keeper can automatically rotate a client secret in Azure. Please see the Azure Client Secret section of the .

IAM User Access Key

Automatically rotate AWS access keys using Keeper Secrets Manager rotations

Keeper can automatically rotate an IAM User Access Key in AWS. Please see the AWS Access Key section of the .

Managed Database

Rotating AWS RDS accounts with Keeper

Overview

In this section, you will learn how to rotate DB User or Admin credentials on the following AWS Managed Databases:

Cloud SQL Database User

Rotating Google Cloud SQL Database user accounts with Keeper

Overview

In this section, you will learn how to rotate DB User or Admin credentials on the following Google Cloud Managed Databases:

Router Security

Security and encryption model of the Keeper Router

Overview

Keeper Router ("Router") is a cloud service hosted in Keeper's cloud environment which facilitates communications between the Keeper backend API, end-user applications (Web Vault, Desktop App, etc.), and Keeper Gateways installed in the user’s environment. The Router is responsible for communications that perform resource discovery, password rotation, timed access and privileged connection management.

How does Keeper Router work?

In traditional or legacy privileged access products, the customer is responsible for installing on-prem software which is difficult to manage and configure in a cloud environment. In Keeper's model, a hosted service (called a Gateway) is installed into the customer's environment which establishes an outbound secure connection to the Keeper Router, enabling bi-directional communication to the Keeper cloud without any network configuration. Keeper Router makes cloud access to on-prem infrastructure easy and secure by utilizing WebSockets for the inbound requests.

With Keeper, WebSockets are established between the end-user device (e.g. Web Vault) and the Keeper Router using the user's current session token. The session token is verified by the Keeper Router to authenticate the session. All encrypted payloads sent to the Keeper Router are wrapped by a 256-bit AES transmission key in addition to TLS, to protect against MITM attacks. The transmission key is generated on the end-user device and transferred to the server using ECIES encryption via the Router's public EC key.

When a user on their Web Vault or Desktop App triggers a password rotation, discovery job or remote connection, the message flow is the following:

Upon installation of the Gateway, it authenticates with the Keeper Cloud using a hashed One Time Access Token one time. The client signs the payload and registers a Client Device Public Key with the server on the first authentication. After the first authentication, subsequent requests are sent to the Keeper Router and signed with the Client Device Private Key.
The Gateway establishes an authenticated WebSocket connection using the Client Device Private Key and ECDSA signature.
The Vault sends a message to the Keeper Router with a command to execute (rotation, tunnel, discovery, connection) and authenticates the command using the user's active session token.

The Keeper Router architecture is Zero Knowledge, and Keeper's infrastructure never has the ability to access or decrypt any of the customer's stored vault data.

Keeper Router Architecture

The Router consists of two logical deployments that work together - the Head and the Workers.

The Router is hosted in Keeper’s AWS cloud environment, isolated to each of the global regions (US, EU, CA, AUS, JP, and US Gov).

The Head is not exposed to the internet, and performs the following functions:

Synchronization of global state between Workers
Inter-worker communication
Scheduling of events (e.g. rotation, discovery and connection requests)

The Workers connect to the Head via WebSocket and also use REST API calls to retrieve information. The Workers perform the following functions:

Communication with Gateways
Communication with Keeper end-user applications
Communication with Keeper backend API

Workers are scaled and load balanced in each Keeper environment. Access to the Keeper Router is established through a common URL pattern in each region:

US: https://connect.keepersecurity.com

EU: https://connect.keepersecurity.eu

AU: https://connect.keepersecurity.com.au

CA: https://connect.keepersecurity.ca

JP: https://connect.keepersecurity.jp

US GOV: https://connect.keepersecurity.us

The end-user device will always communicate through the same Router instance. When the end-user vault connects to the Router system, a communication exchange is performed to ensure that the vault is communicating to the desired gateway. Once the Gateway communication is established, a Cookie is stored locally on the user's browser which expires automatically in 7 days. This Cookie is only used to establish a sticky session with the target Router instance, and does not contain any secret information.

Each Gateway device is associated with a unique UID. The Gateway UID is stored within an encrypted “PAM Configuration” record in the administrator's vault. This way, the Keeper vault record knows which Gateway must be used to perform the requested rotation, discovery or connection features.

Service Management

Managing the credentials of Windows services and scheduled tasks

Overview

KeeperPAM Password Rotation is able to automatically manage the "log on" credentials for Windows services and scheduled tasks.

When rotation is performed for a specific PAM User record, the Keeper Gateway will update the credentials for all services and scheduled tasks on the associated PAM Machine, and restart the services. One PAM User record can be associated to any number of PAM Machine records, allowing you to update the services and scheduled tasks across a fleet of servers.

Prerequisites

This guide assumes the following tasks have already taken place:

are configured for your role
A Keeper Secrets Manager has been created
Your is online

Setup

Service account and scheduled task management works by associating a PAM User record with one or more PAM Machine records in the vault. This mapping tells the Keeper Gateway to reach into each machine and look up any services running as the user, updating the password and restarting the service.

Ensure that you are using a PAM Machine record to manage services and scheduled tasks on the resource. If you are using a different type of resource (Database, Directory, etc) you can create another resource which is a PAM Machine that is associated to the same PAM User.

Using Discovery

When running a , Keeper will automatically locate any services or scheduled tasks that require update when a password is rotated.

If you don't use Discovery, this can be managed directly through the Commander CLI interface using the pam action service commands.

Using the Commander CLI

Keeper Commander provides the necessary commands to associate services and scheduled tasks, such that password rotations will trigger an update and restart of the service.

Installing Commander

If you haven't set up Keeper Commander yet, please follow the .

Locate Gateway UID

Use the pam gateway list command to locate the Gateway UID which manages the machine containing the services and scheduled tasks. You'll need this for the next step.

Locate PAM Machine and PAM User UID

The PAM Machine and PAM User UIDs can be found in Commander by using the ls -l command inside a folder or by using the search command.

The UIDs can also be found in the Keeper Vault "Record Information" screen:

Services Management Commands

Use the pam action service command to instruct Keeper to update services and scheduled tasks on a particular machine, for a particular user, within a network.

Adding a Service / Task / IIS

To instruct Keeper to update and restart services and scheduled tasks on a particular machine, use the syntax below:

Removing a Service / Task / IIS

To instruct Keeper to remove the associations of services and scheduled tasks on a machine:

Listing all Mappings

To display the current mappings between Gateway, Machine and User accounts where services and tasks need to be managed, use the pam action service list command.

Triggering the service update

To perform a password rotation of a PAM User account, click on the Rotate button from the vault user interface.

To perform the rotation from Commander, run pam action rotate :

To view the status of the rotation job, check the Vault UI or run the pam action job-info command as instructed:

Troubleshooting

Service Restarts

Keeper will not start a service which is currently stopped. We will only restart any actively running services after updating the log on credential.

When troubleshooting a service credential update issue, please make sure of the following:

For a Windows server, ensure the operating system field is set to windows
Ensure that the Keeper Gateway can communicate to the PAM Machine via WinRM or SSH.
Check the Event Viewer > Windows Logs > Application events for any error messages

Vault Structure

Understanding the Keeper Vault structure and organization for KeeperPAM

Overview

In a customer's environment, the Keeper Vault is deployed to all users within the organization across all devices. The Vault is accessible through any web browser, and also available as a native desktop application for Windows, macOS and Linux. Accessing the Keeper vault is the foundation of the KeeperPAM platform, since the vault is deployed to all users, enforces MFA, SSO and implements a zero-knowledge encryption model.

When the Role-based Enforcement Policies are activated from the Keeper Admin Console, those designated users can work with KeeperPAM functionality directly with the vault.

Records, Record Types and Resources

In Keeper, a record can be a password, file, passkey, or any number of possible record type templates. A record is always encrypted locally on the user's device with a record-level encryption key. All information held within a record is encrypted in the vault.

When working with Secrets Management and Privileged Access Management functionality, records can also represent Applications, Machines, Directories, Databases, Domain Controllers, Users and other infrastructure being managed.

Like any password record, these new record types can also be placed into private or shared folders, managed directly in the vault and controlled through policy enforcements.

Folders and Shared Folders

In the vault, records are placed into folders and shared folders. A typical and recommended setup looks something like this:

Private Folder
- Shared Folder containing Resources
- Shared Folder containing User accounts

The reason that we recommend splitting up Resources and User accounts is based on least privilege. In this configuration, the resources can be provisioned to a user without sharing access to the underlying credentials. The user accounts are in a separate folder and can remain private in this vault or shared to other privileged users as required.

A resource such as a Linux machine can be seen inside the resource folder below. The Administrative Credentials used for connecting to that resource are linked, but not directly embedded in the resource. This way, you can provide access to the resource without sharing the credential.

In this example, the linked Administrative Credential lives in the Users folder with separate permissions and folder privileges.

At the Shared Folder level, both human users and applications can be assigned with access rights. This allows least privilege enforcement across employees and machines.

The fastest way to understand the relationship between records, folders, applications and configurations is using the . This wizard instantly creates a sandbox environment where you can work with the different resources and vault records.

Application

A Secrets Manager Application is assigned to specific shared folders. Applications are associated to devices and Gateways for accessing the assigned records.

An Application and the associated devices and Gateways can only decrypt the records assigned to the folder. Keeper recommends implementing the principle of least privilege, ensuring applications are limited in their ability to access records from the vault.

Management of Applications is found in the Keeper Secrets Manager section of the vault. An example of an Application might be "Azure DevOps Pipeline" or "Azure AD Rotations" as seen in the screenshot below.

For more information on Applications:

Device

A Device is any endpoint that needs to access secrets associated with an Application. This can be a physical device, virtual device, or cloud-based device. Each Client device has a unique key to read and access the secrets.

A device can be initialized through the Applications section of the vault user interface.

For more information on Devices:

Gateway

The Keeper Gateway is a service that is installed on any Docker, Linux or Windows machine in order to execute password rotation, discovery, connection, tunneling or other privileged automation. The Gateway service can be installed in any remote or on-prem environment, powering a secure zero-trust connection.

Typically, a Keeper Gateway is deployed to each environment that is being managed. For example, if you are an MSP managing 500 client environments, you may deploy 500 Keeper Gateways.

The architecture of the Keeper Gateway deployments is based on your use case and can be reviewed with our implementation team.

Configuration

A PAM Configuration defines the target environment where a Keeper Gateway has been installed. This configuration supplies important secrets to the Gateway that can be used to manage the target infrastructure. For example, it can contain Azure client secrets or Tenant IDs.

The PAM Configuration data is stored as a record in the vault inside the specified "Application Folder". This way, the Gateway has the necessary permission to retrieve this information.

We recommend defining only one Configuration for each Gateway.

More information about PAM Configuration records:

PAM Resources

Inside the vault, records define the type of resources being managed. We call these "PAM Resources". Several new Record Types available in the vault are associated with a resource.

When creating a resource, you can select from various targets, such as Machine, Database, Directory, etc.

Visit the pages linked below to learn more about each PAM Resource:

PAM Record Type

Supported Assets

PAM Users

A special record type in the Keeper Vault called PAM User can be directly associated to any PAM Resource. The PAM User is used by the Keeper Gateway for establishing a connection, rotating a password, discovering accounts or running other privilege automation on a target resource.

A PAM User is linked to the PAM Resource in the "Credentials" section of the record. This linkage ensures that access to the resource does not directly allow access to the credential.

A PAM User record can be configured for on-demand and automatic rotation.

More information on PAM Users is found here:

Activating PAM Features

Now that you understand the basic structure of the vault, activating and utilizing PAM features is described in the below sections.

Gateway on Linux Native

Instructions for installing Keeper Gateway on Linux with native packages

Overview

This document contains information on how to install, configure, and update your Keeper Gateway on Linux with native packages.

Prerequisites

Prior to proceeding with this document, make sure you .
For full capabilities, use Rocky Linux 9, RHEL 9 or Alma Linux 9.
If you cannot use one of these Linux flavors, please install using the

Installation

Install Command

Executing the following command will install the Keeper Gateway, and run it as a service:

Replace XXXXX with the One-Time Access Token provided from creating the Keeper Gateway

Installation Location

The gateway will be installed in the following location:

An alias gateway is also created in the same directory

Gateway Service Management

For managing the Keeper Gateway as a service, the following are created during the Gateway installation:

A keeper-gateway folder
A keeper-gw user

keeper-gateway folder

The keeper-gateway folder contains the gateway configuration file and is created in the following location:

keeper-gw user

During the gateway installation, a new user, keeper-gw, is created and added to the sudoers list in /etc/sudoers.d/.

The keeper-gw user is the owner of the keeper-gateway folder and runs the gateway service. This is required when performing rotations on the gateway service and performing post-execution scripts.

Managing the Gateway Service

The following commands can be executed to start, restart, or stop the Keeper Gateway as a service:

Keeper Gateway Configuration File

The Keeper Gateway configuration file contains a set of tokens that includes encryption keys, client identifiers, and tenant server information used to authenticate and decrypt data from the Keeper Secrets Manager APIs. This configuration file is created from the One-Time Access Token generated when you .

If the Keeper Gateway is installed and running as a service, the gateway configuration file is stored in the following location:

If the Keeper Gateway is installed locally and not running as a service, the gateway configuration file is stored in the following location:

Keeper Gateway Log files

Logs that contain helpful debugging information are automatically created and stored on the local machine.

If the Gateway is running as a service, the log files are stored in the following location:

If the Gateway is not running as a service, the log files are stored in the following location:

Verbose Logging

To add verbose debug logging, modify this file:

and add the -d flag to the "gateway start" command, e.g:

Apply changes to the service:

Tailing the Logs

Updating

Executing the following command will update the Keeper Gateway to the latest version:

Auto Update

Configure your Keeper Gateway installation to automatically check for updates, ensuring it stays up-to-date with the latest version.

Uninstalling

Executing the following command will uninstall the Keeper Gateway:

Health Checks

To monitor the Gateway service, you can configure health checks that expose its operational status. These checks are useful for Docker orchestration, load balancing, and automated monitoring. See the for full setup details and examples.

The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:

Destination Endpoint

Ports Needed

More Info

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

Checksum Verification

Keeper Gateway SHA256 hashes for the latest version are published at the below location:

Calculating and verifying the checksum:

Linux

PowerShell

Azure Environment Setup

Setting up your Azure environment to work with KeeperPAM

Azure Environment Overview

Resources in your Azure environment can be managed by a Keeper Gateway using Azure App policies and client IDs configured in the PAM Configuration record.

In order to set up your Azure environment, the following steps must be taken:

Create an Azure application in the default Azure Active Directory.
Get values for the Keeper PAM Configuration from this new application.
Grant permissions to the application to access the Azure Active Directory.
Create a custom role to allow the application to access/perform actions on various Azure resources.

Create an Azure App Registration

Go to the Azure portal > Home and click on Microsoft Entra ID on the left side vertical menu. Select App Registrations, and then New Registration. Give the new application a name and select Single tenant. Then click the Register button at the bottom.

In the Overview of the application, the Application (client) ID UUID is shown. This is the Client Id field of the Keeper PAM Configuration record. The Directory (tenant) ID is also shown. This is the Tenant Id field of the Keeper PAM Configuration record. Save these values for later.

Next, go to Home > General > Subscriptions and get your subscription ID. Copy the subscription ID into the Keeper PAM Configuration "Subscription ID" field. For more information on how to get your subscription ID, visit this .

Next, click on the Add a certification or secret for Client credentials. On the next page, click on New client secret, give the client secret a Description, and select a desired Expires date, and click Add.

The page will refresh showing the secret Value. Copy the Value (not Secret ID) into the Keeper PAM Configuration "Client Secret" field. Save this value for later.

At this point, all the required the PAM Configuration fields should be filled in. You also have an Azure application that cannot do anything yet.

Assign Roles and Administrators

In order for the Azure tenant service principal/application to rotate Azure Active Directory users or Azure Active Directory Domain Service users, the application must be a assigned to an Administrative role.

From the Azure portal go to Home > Azure Active Directory > Roles and administrators, and click on the Administrative role to use (such as Privileged Authentication Administrator). The correct role depends on what privileges are needed for your use case. Custom roles can be used.

Global Administrator - It is not recommended to use a Global Administrator on a service principal. However, it will allow both administrator and user passwords to be rotated.
- Can change the password for any user, including a Global Administrator user.
- Can change the password for any user, except a Global Administrator user.

To add the application, click Add assignments and Search for the service principal/application that was created, click it, and then Add.

Assign Azure Role

Roles need to be attached to the Azure Application (also called a Service Principle here) in order to rotate passwords of target resources. This is done in the Subscription section of the Azure portal.

Go to the Azure portal > Home > Subscriptions then select your subscription. Click on Access control (IAM), and then Roles.

Click Add on the top menu, and then Add custom role. Jump to the JSON tab. Click on Edit and paste the JSON object from below, modifying it according to your setup.

This is a complete list of all of the permissions that Keeper Gateway can use, if applicable. Only include those that are needed for your setup.

Change the following before you save:

<ROLE NAME>: Role Name, e.g. "Keeper Secrets Manager"
<DESCRIPTION>: Description, e.g. "Role for password rotation"
<SUBSCRIPTION ID>: Subscription ID of this Azure subscription

Click Save.

When done, click Review + create, and click Create.

Once the role is created, it needs to be assigned to the Application (Service Principle). Click View in the Details column.

A panel will appear on the right side of the screen. Click Assignments, and then Add assignment.

Enter in the new role's name in the search bar on the Role tab, then double click it to select it. Move to the Members tab. Click Select members. In the panel that opens, enter the name of the Azure application, select the current application, and click Select.

Go to the Review + assign tab click Review + assign.

At this point, you have created the necessary roles and applications within your Azure environment.

PAM Features

The "PAM Features Allowed" and "Session Recording Types Allowed" sections in the PAM Configuration allow owners to enable or disable KeeperPAM features for resources managed through the PAM configuration:

Field

Description

Configuring PAM Features on PAM Record Types

After creating the PAM configuration, visit the following pages to:

Configure
Configure
Configure

Override Default Azure SDK Endpoints

Certain Azure environments, such as Azure Government or other sovereign clouds, use different authentication and Microsoft Graph endpoints than Azure commercial (azure.com). The default Azure SDK endpoints can be configured via custom fields on the KeeperPAM configuration record, enabling password rotation to function correctly in non-commercial Azure environments. For more information on configuring these custom fields, visit the following .

Just-In-Time Access (JIT)

KeeperPAM Just-In-Time Access and Zero Standing Privilege

Just-In-Time Access and Zero Standing Privilege

Introduction

KeeperPAM provides comprehensive just-in-time (JIT) access capabilities to help organizations achieve zero standing privilege (ZSP) across their entire IT infrastructure and endpoints. By implementing JIT access controls, organizations can significantly reduce their attack surface by ensuring that privileged access is only granted when needed, for the duration required, and with appropriate approvals.

Understanding JIT and ZSP

Just-In-Time (JIT) Access: Provides users with privileged access only at the moment they need it, for a limited time period, and often with approval workflows.

Zero Standing Privilege (ZSP): A security approach where users have no permanent privileged access to systems, eliminating the risk associated with compromised privileged accounts.

Use Cases

KeeperPAM offers JIT capabilities across multiple scenarios:

Just-in-Time Elevated Access to Infrastructure

Keeper's zero-trust privileged sessions can be established to any target with a single click from the web vault. When configured for JIT, elevated privileges are only granted for the duration of the session and automatically revoked upon session termination.

Supported Connection Protocols:

RDP (Remote Desktop Protocol)
SSH (Secure Shell)
VNC (Virtual Network Computing)
HTTP/HTTPS

How to Configure:

In the KeeperPAM resource configuration, navigate to the "JIT" tab
Enable just-in-time elevated access for the target resource
Configure the elevation settings (Ephemeral account or Group/Role elevation)

Ephemeral Account Creation

KeeperPAM can create temporary accounts with appropriate privileges that exist only for the duration of a privileged session.

Key Features:

Automatic creation of temporary privileged accounts when sessions begin
Dynamic privilege assignment based on access requirements
Complete account removal when sessions terminate

Benefits:

Eliminates attack vectors associated with standing privileged accounts
Prevents lateral movement using compromised credentials
Creates clean audit trails linking specific sessions to temporary accounts

The Keeper Gateway is responsible for creating a temporary account on the target using the selected account type.

Keeper can create ephemeral accounts on any assigned target resource, such as:

Active Directory / LDAP Domain User
Windows User
Linux User
MySQL User

Group and Role Elevation

Role elevation can be assigned at the Group or Role level. For example, an AWS group or role can be assigned to the connecting user account for the duration of the session.

In the input field, provide Keeper with the identifier of the group or role to elevate during the connection. E.g. for Windows this might be “Administrators” and for AWS this would be the full ARN (e.g. arn:aws:iam::12345:role/Admin).

Domain User Group Elevation

When elevating an ephemeral Domain User to a group, you must specify the group in Distinguished Name (DN) format.

Example: If the group name is RemoteUsers, the DN would be:

If your group name contains spaces, you must enclose the DN in quotes.

Example: If the group name is Remote Users, the DN would be:

Just-in-Time Elevated Access on Endpoints using PEDM

extends JIT capabilities to end-user devices, allowing for precise privilege elevation for specific processes, applications, or tasks without granting full administrative access.

Key Features:

Process-level privilege management across Windows, macOS, and Linux
Policy-based elevation rules with granular controls
User-initiated elevation requests with approval workflows

How it Works:

Users operate with standard, non-privileged accounts by default
When administrative privileges are needed, users request elevation for specific tasks
Based on policy, requests are auto-approved or routed for manual approval

For more information see:

Time-Limited Access with Automated Credential Rotation

KeeperPAM provides time-bounded access to resources with automatic credential rotation.

Key Features:

Automated credential rotation on-demand or on a scheduled basis
Time-limited access window for authorized users
Integration with password rotation policies

Security Benefits:

Ensures credentials are never re-used for future sessions
Protects against credential theft during access periods
Creates cryptographically verifiable access boundaries

To provide time-limited access to a resource, open the resource from the vault and select Sharing. Add the user as a share recipient, and select Set Expiration.

For more information see:

Workflow and Requests for Approval

KeeperPAM includes flexible approval workflows for JIT access requests, ensuring proper oversight of privileged access.

Key Features:

Multi-level approval workflows
Time-based auto-approval or denial
Delegation of approval authority

Configuration Options:

Required approvers based on resource sensitivity
Approval timeouts and escalations
Working hours restrictions

Implementation Best Practices

When implementing JIT access and ZSP with KeeperPAM:

Start with critical systems: Begin your implementation with your most sensitive systems and infrastructure
Define clear policies: Establish clear guidelines for when JIT access is required and who can approve it
Educate users: Ensure users understand how to request elevated access when needed

Conclusion

KeeperPAM's comprehensive JIT and ZSP capabilities provide organizations with the tools needed to significantly reduce their privileged access attack surface. By implementing these capabilities across your infrastructure, you can ensure that privileged access is strictly controlled, properly approved, and thoroughly audited.

For more information on specific JIT use cases or implementation guidance, contact your Keeper Security account manager or email .

Google Compute Virtual Machine User

Rotating Google Compute Virtual Machine accounts with Keeper

In this guide, you will learn how to rotate Google Compute Virtual Machine (VM) Accounts on your Google Cloud Environment using Keeper Rotation. The Compute VM is an GCP managed resource where the Google Compute VM Admin Credentials are linked to the PAM Machine record and the identity of the Google Compute VM Users are defined in the PAM User record type.

For Google Compute VM Accounts, normal operating system commands are used to change the password. Keeper will connect to the target machine and send command-line commands to change the password.

Prerequisites

This guide assumes the following tasks have already taken place:

Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created

1. Set up PAM Machine Records

Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record should link to an administrative credential that has the rights to change passwords for users on the machine.

Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each local user account that will be rotated.

Keeper will use the referenced admin credential to rotate the password or SSH key of AWS Virtual Machine users in your AWS environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of these user accounts.

If you are running a rotation on a PAM Machine record which also happens to be the same machine running the Keeper Gateway, Keeper will attempt to rotate the password or SSH key for the account using the keeper-gw user. Assuming that keeper-gw has sudoers privilege, it will be able to perform rotations on the local Gateway machine.

The following table lists all the required fields on the PAM Machine record:

Field

Description

This PAM Machine Record with the linked admin credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.

2. Set up PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:

Field

Description

For more details on all the configurable fields in the PAM Configuration record, visit this .

3. Set up PAM User Records

Keeper will use the credentials linked from the PAM Machine record to rotate the PAM User records in your Google Cloud environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields that need to be filled on the PAM User record:

Field

Description

4. Configure Rotation on the Record - GCP VM User

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

SSH Key Rotation Notes

When rotating the private PEM Key credential on a target machine or user, Keeper will update the authorized_keys file on the machine with the new public key. The first time that a rotation occurs, the old public key is left intact in order to prevent system lockout. The second public key added to the file contains a comment that serves as an identifier for future rotations. For example:

By default, Keeper will not remove other keys from the .ssh/authorized_keys file since some providers will place in their own keys in order to control the virtual machine (ie Google Cloud Provider).

If the first rotation is successful, you can optionally delete the old public key entry in the authorized_keys file. On subsequent rotations, Keeper will update the line which contains the "keeper-security-xxx" comment.

Rotation will also create backup of the prior .ssh/authorized_keys inside of the .ssh directory.

For private key rotation, the new private key will be same algorithm and key size (bits) as the current private key. For example, if the current private key is ecdsa-sha2-nistp256 the new private key will be ecdsa-sha2-nistp256. This can be overridden by adding a custom text field, with the label Private Key Type , and setting the value to one support algorithms:

ssh-rsa - 4096 bits
ecdsa-sha2-nistp256 - ECDSA, 256 bits
ecdsa-sha2-nistp384 - ECDSA, 384 bits

.This custom field can also be used if the current private key's algorithm cannot be detected.

To prevent private key rotation, a custom text field can be added to the PAM User record with the label Private Key Rotate. If the value of the field is TRUE, or the field doesn't exists, the private key will be rotated if it exists. If the value is FALSE, the private key will not be rotated.

For Linux user rotations, password-encrypted PEM files are not currently supported.

Administrative Credential - SSH key only accounts

When configuring a PAM User with only a private PEM key and no password as the admin credential for a machine resource, this user will execute all administrative operations such as password rotation. In this configuration, the admin account must be able to perform sudo operations without being prompted for a password.

If a password is required to execute sudo commands, rotations for non-admin credentials on that resource will fail—since the admin credential does not include a password. To ensure successful rotation, configure the PEM key only admin account to run sudo commands without a password prompt.

EC2 Virtual Machine User

Rotating AWS EC2 Virtual Machine accounts with Keeper

In this guide, you will learn how to rotate AWS EC2 Virtual Machine (VM) Accounts on your AWS Environment using Keeper Rotation. The EC2 VM is an AWS managed resource where the EC2 VM Admin Credentials are linked to the PAM Machine record and the identity of the EC2 VM Users are defined in the PAM User record type.

For EC2 VM Accounts, normal operating system commands are used to change the password. Keeper will connect to the target machine and send command-line commands to change the password.

Prerequisites

This guide assumes the following tasks have already taken place:

Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created

1. Set up PAM Machine Records

Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each local user account that will be rotated.

The following table lists all the required fields on the PAM Machine record:

Field

Description

2. Set up PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

Make sure the following items are completed:

A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
PAM Machine records have been created for each target machine

If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration.

Field

Description

For more details on all the configurable fields in the PAM Configuration record, visit this .

3. Set up PAM User Records

Keeper will use the credentials linked from the PAM Machine record to rotate the PAM User records in your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields that need to be filled on the PAM User record:

Field

Description

4. Configure Rotation on the Record - AWS VM User

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

SSH Key Rotation Notes

Rotation will also create backup of the prior .ssh/authorized_keys inside of the .ssh directory.

ssh-rsa - 4096 bits
ecdsa-sha2-nistp256 - ECDSA, 256 bits
ecdsa-sha2-nistp384 - ECDSA, 384 bits

.This custom field can also be used if the current private key's algorithm cannot be detected.

For Linux user rotations, password-encrypted PEM files are not currently supported.

Administrative Credential - SSH key only accounts

Google Cloud Environment Setup

Setting up your Google Cloud environment to work with KeeperPAM

Google Cloud Environment Overview

Overview

Resources in your GCP environment can be managed by a Keeper Gateway using a service account configured in the PAM Configuration record. Optionally this service account can be configured to have domain-wide delegation, enabling Keeper Gateway to rotate passwords for Google Workspace users (GCP principals) discovered during GCP discovery.

The service account must be configured appropriately to enable access to the target GCP resources:

Compute Engine
Cloud SQL
Cloud Resource Manager

Additionally, in order to enable Google Workspace user password changes, the service account also needs:

Domain-wide delegation enabled in Google Workspace Admin Console
Scope: https://www.googleapis.com/auth/admin.directory.user
The google_admin_email must have user management permissions in Workspace

See for more details about enabling password rotations for GCP Principals.

Required Service Account Setup

A service account is a special kind of account typically used by an application or compute workload, such as a Compute Engine instance, rather than a person.

The minimal set of permissions needed by the KeeperPAM service account are as follows:

To ensure least privilege, the service account provided in the GCP configuration should be granted these permissions only:

Create a (e.g. KeeperPAM)
Create a Service Account
Assign the role to the Service Account

Save the downloaded file in the Keeper vault for protection. The contents of this file will also be added to the "Service Account Key" field of the PAM Configuration record in the Keeper vault.

Optional Setup for GCP User Password Rotation

You can optionally activate the ability for KeeperPAM to rotate Google Workspace identities by following the steps in this section.

When discovering GCP resources, the system identifies users from IAM policies with the user: prefix (e.g., user:[email protected]). These are typically Google Workspace users who have been granted permissions in your GCP project.

To rotate passwords for these Workspace users, the service account must:

Have domain-wide delegation enabled in Google Workspace
Be authorized with the appropriate OAuth scope
Have an admin email specified that the service account will impersonate

Prerequisites

A Google Cloud Platform project with a service account
Google Workspace admin access
The service account's Client ID (found in the service account details)

Step-by-Step Configuration

Enable Domain-Wide Delegation for the Service Account

Go to the
Navigate to IAM & Admin → Service Accounts
Locate your service account (the one whose key is used in the PAM Configuration)

Authorize the Service Account in Google Workspace Admin Console

Go to the
Navigate to Security → Access and data control → API controls
Scroll down to Domain-wide delegation

Configure the Google Admin Email

The Google Admin Email is a Google Workspace user account that:

Has administrative privileges in Google Workspace
Specifically has User Management permissions
Will be impersonated by the service account when making password changes

Create or Identify an Admin User

Option A: Use an existing Super Admin

Use the email of an existing Google Workspace Super Admin
Example: [email protected]

Option B: Create a dedicated service admin account (Recommended)

Go to Directory → Users in Google Workspace Admin Console
Click Add new user
Create a user with a name like:

Set up the PAM Configuration Record

In the Keeper Vault > Secrets Manager > PAM Configurations > create a new GCP PAM Configuration record. Set the following:

Service Account Key (JSON format)

This is the key file created above during the Service Account setup. The format is like this:

Google Admin Email

This is only required if GCP service principal rotation is configured.

How It Works

When rotating a password for a GCP user:

The system discovers users from GCP IAM policies (e.g., user:[email protected])
During password rotation, the code:
- Loads the service account credentials from the JSON key

Required Permissions Summary

GCP Project Permissions (for Discovery)

The service account needs these IAM permissions in the GCP project:

resourcemanager.projects.getIamPolicy - To discover users from IAM policies

Google Workspace Permissions

The service account needs:

Domain-wide delegation enabled
OAuth Scope: https://www.googleapis.com/auth/admin.directory.user

The Google Admin email account needs:

User Management Admin role (or Super Admin)

Troubleshooting

Error: "No Google Admin email provided"

Cause: The google_admin_email field is not set in the PAM Configuration record
Solution: Add the admin email to the PAM Configuration record

Error: "Permission denied" or "Forbidden"

Cause: Domain-wide delegation not properly configured
Solution:
1. Verify the service account has domain-wide delegation enabled

Error: "Insufficient permissions"

Cause: The Google Admin email doesn't have sufficient privileges
Solution: Ensure the admin email has User Management Admin role or Super Admin role

Error: "Invalid credentials" or "Authentication failed"

Cause: Service account key is invalid or expired
Solution:
1. Regenerate the service account key in GCP Console

User password change succeeds but user can't log in

Cause: Password policy requirements not met
Solution: Password generation respects these constraints:
- Minimum 8 characters

Security Best Practices

Use a dedicated service admin account: Create a separate Google Workspace user specifically for this service rather than using a personal admin account
Limit service account key distribution: Store the service account key JSON securely in Keeper Secrets Manager only
Monitor admin activity: Regularly review the Google Workspace admin audit logs for activities by the service account

Additional Resources

SaaS Plugins

SaaS and REST-based rotation plugins

KeeperPAM SaaS Rotation Plugins

Overview

KeeperPAM supports automated password rotation for various SaaS applications and services, including cloud infrastructure. This feature requires Keeper Gateway version 1.6 or newer. Currently, the configuration of SaaS rotations requires the use of Keeper Commander CLI. The front-end for managing these rotations will be included in an upcoming release of the Web Vault and Desktop App.

SaaS rotations are available as built-in integrations, catalog integrations or custom integrations.

Built-in SaaS Integrations

KeeperPAM includes pre-built integrations for popular services:

Okta - Identity and access management
Snowflake - Cloud data platform
REST APIs - Generic REST endpoint integration

Catalog SaaS Integrations

In Keeper's , several new rotation plugins have been created, including:

AWS Cognito
Cisco APIC
and

As new catalog rotations are added, customers may use these rotations within their environments.

Custom Integrations

Following the examples in Keeper's , customers can create their own plugins that are private and only available to their Keeper Gateway. See the section for more information.

Setting Up SaaS Password Rotation

This is accomplished in 3 steps outlined below:

Step 1: Create a SaaS Configuration Record

SaaS rotation configurations are stored as records with custom fields that define the configuration parameters.

Using Keeper Commander CLI

The fastest way to create a SaaS configuration is using the Commander CLI pam action saas config command:

The command will prompt you for the required configuration values specific to your chosen SaaS type. Each of the configuration values is documented in the section below, for built-in and catalog plugins.

You can also just create a Login record with custom fields as defined below.

Okta Configuration Record

Custom Field Name

Description

Required?

Snowflake Configuration Record

Custom Field Name

Description

Required?

REST Configuration Record

Custom Field Name

Description

Required?

AWS Access Key Configuration Record

Custom Field Name

Description

Required?

Note: The admin access key does NOT be set if you using an EC2 instance an attached IAM role or the using an AWS configuration. The plugin with get its credentials from the following in the specified order.

SaaS Configuration Record - Ensure that the Access Key and Secret Key
AWS PAM Configuration - See the for details

Assigning Permissions

Ensure that the roles assigned to your AWS PAM Configuration or to the specific administrative access key / secret key include the below policies required to rotate a target access key:

Azure Client Secret Configuration Record

Custom Field Name

Description

Required?

Note: The administrative application ID and client secret does not be set if you using a PAM Configuration that already has necessary Azure permissions.

The plugin with get its credentials from the following in the specified order.

SaaS Configuration Record
Azure PAM Configuration

Assigning Permissions to Admin Application

In order for the target secret to be rotated, the administrative application must have the necessary Azure role permissions.

Required Microsoft Graph Permissions:

Application.ReadWrite.All

How to Assign:

Go to Azure Portal > Azure Active Directory > App registrations
Select your Administrative app (the one that will rotate secrets)
Go to API permissions > Add a permission

Cisco IOS EX Configuration Record

Custom Field Name

Description

Required?

Cisco Meraki Configuration Record

Custom Field Name

Description

Required?

API:

Step 2: Associate SaaS Rotation with PAM Users

Once your SaaS configuration record is created, associate that record with one or more PAM User records in the vault.

Create the PAM User record either in the vault, or using the Commander CLI
Using Commander, run the below commands to create the association:

Step 3: Verify Configuration

Check that your SaaS rotation is properly configured on the PAM User record:

This will display all configured SaaS rotations for the specified PAM User, including their current settings.

Performing SaaS Rotation

To perform the rotation from the Commander CLI, use the pam action rotate command:

Managing SaaS Rotations

Remove SaaS Rotation

To remove a SaaS rotation from a PAM User record:

Activate/Deactivate Rotations

You can control whether a SaaS rotation is active by setting the Active custom field:

Set to any value (e.g., "true", "yes", "1") to activate
Remove the field or set to empty/false to deactivate

Custom and Community Plugins

Available Custom Plugins

In addition to built-in integrations, you can use custom plugins for additional services. Keeper maintains a repository of community-contributed plugins:

GitHub Repository:

Check the integrations/ folder for available plugins, which may include:

Additional cloud services
Database systems
Network equipment
Custom enterprise applications

Using Custom Plugins

To use custom plugins in your environment:

1. Set Up Plugin Directory

Configure your PAM Gateway to recognize custom plugins:

2. Deploy Plugin Files

Copy the plugin Python files to your configured directory:

3. Docker Container Setup

If using Docker, mount the plugin directory:

Update the PAM configuration to use the container path:

4. Configure Plugin Access (If Required)

Some plugins may need access to your PAM configuration credentials (e.g., for AWS or Azure integration). Grant access by adding the plugin name to the allow list:

Developing Custom Plugins

If you need a plugin for a service not currently available, you can develop your own using the development environment provided in the repository. The repository includes:

Development and testing tools
Example plugins and templates
API documentation
Testing framework

Visit the for detailed development instructions. To contribute to the community rotation plugin directory, submit a pull request.

Best Practices

Security Considerations

Use dedicated service accounts with minimal required permissions for SaaS integrations
Regularly rotate API keys and tokens used in SaaS configurations
Test rotations in a development environment before production deployment

Configuration Management

Store SaaS configurations in dedicated shared folders for better organization
Use descriptive names for configuration records (e.g., "Okta Production", "Snowflake Dev")
Document any custom field requirements for team members

Troubleshooting

Check Gateway logs for detailed error messages during rotations
Verify API credentials and permissions in your SaaS applications
Ensure network connectivity between Gateway and target services

Support and Resources

Built-in SaaS Types: Supported through standard Keeper support channels
Custom Plugins: Community support via GitHub repository issues
Development Questions: Refer to repository documentation and examples

For the most up-to-date list of available plugins and integration examples, regularly check the .

Health Checks

Monitoring the Keeper Gateway using health checks

Overview

This document describes the health check functionality implemented for the KeeperPAM Gateway. Health checks provide essential monitoring capabilities that solve several common operational challenges.

Health Checks provide the following benefits:

Allow load balancers to automatically remove unhealthy instances from rotation and add them back when they recover.
Integrate with monitoring systems (Prometheus, Nagios, Datadog, etc.) to provide automated alerting and dashboards showing gateway health across your infrastructure.
Enable automated monitoring scripts and orchestration tools to detect failures and trigger recovery procedures without human intervention.

The health check service is disabled by default. You must activate it as documented in the next sections.

Simple Health Check Configuration

The below configuration enables a basic health check service on the binary and Docker installation methods. More is also available as documented below.

Activating Health Check - Binary Install method

Start the gateway with health check enabled:

Only after the gateway is running with health check enabled, you can check its health:

If you get an error like "Could not connect to health check server", it means you haven't enabled the health check properly.

If you see "Exception No such command 'keeper-gateway.exe'", you're using the wrong command syntax. Always use "gateway" as the command name.

Activating Health Check - Docker Install method

Modify the docker-compose.yml file to enable health checks:

Add KEEPER_GATEWAY_HEALTH_CHECK_ENABLED
Add the healthcheck section with the desired check intervals

After changing the docker-compose file, pick up the changes and restart the container:

If the container name is keeper-gateway, a one-line bash command to find the service status can be found like this:

If you don't know the container name, this script will give it to you:

Here's an example of checking the health with a bash command:

The below complete bash script can be added to your watchdog services to check service status and automatically restart the container if it's unhealthy. Replace /path/to/ with the proper path.

To schedule this health check on a Linux system, it can be added to the cron

Add to the crontab to watch every minute...

Advanced Healthcheck Configuration Examples

The below section provides detailed configuration for customization of the health checks in different environments.

Configuration

Start Command

CLI Health Check

Curl Health Check

Output Format Examples

Output Format

CLI Command

Description

Troubleshooting Commands

Issue

Test Command

Expected Result

Error Messages and Troubleshooting

The CLI health check provides detailed error messages to help diagnose issues:

Authentication Errors (HTTP 401)

Connection Errors

SSL Certificate Errors

Implementation

The Gateway health check is implemented using , a lightweight WSGI micro web-framework for Python. Bottle was chosen for the following advantages:

Minimal dependency (single file, ~60KB in size)
Enhanced security over the built-in Python HTTP server
Proper request routing and handling

CLI Health Check

You can check the gateway's health from the command line:

This command returns:

Exit code 0 if the gateway is healthy
Exit code 1 if the gateway is not running or not healthy
Text output indicating the status (OK/CRITICAL/WARNING)

For detailed output in a machine-parsable format (one key=value pair per line):

For JSON format output (matching the HTTP endpoint format):

If your health check server is using SSL:

If your health check server requires authentication:

If your health check server is running on a non-default port:

If your health check server is running on a different host:

The detailed output includes:

Gateway version
Connection status
WebSocket metrics (when available)
Process information (in background mode)

This makes it suitable for monitoring scripts and cron jobs.

Note: The CLI health check command requires the HTTP health check server to be running. If the health check server is not running, the command will return an error message suggesting to enable the health check server.

HTTP Health Check

The gateway includes a secure HTTP health check endpoint that can be enabled with environment variables or command line arguments.

Configuration

The health check server can be configured using environment variables or command line arguments:

Environment Variables

Environment Variable

Purpose

Default

Command Line Arguments

When starting the gateway, you can also use these command line arguments:

Command line arguments take precedence over environment variables when both are specified.

Example Commands

Basic health check with default settings:

Custom port and authentication token:

Bind to all interfaces (only in secure environments):

Enable SSL with certificate and key:

Complete example with all options:

Usage

When enabled, the HTTP health check endpoint will be available at:

Or with SSL:

Response Format

The endpoint returns:

HTTP 200 if the gateway is healthy
HTTP 503 if the gateway is not healthy
JSON response with details:

The response includes:

status: Overall health status ("healthy" or "unhealthy")
message: Human-readable description of the status
details: Detailed information about the gateway

Example Responses

Healthy Gateway:

Unhealthy Gateway:

Note that some metrics like latency_ms, last_ping_sent_timestamp, and last_pong_received_timestamp may not always be present in the response. The availability of these metrics depends on the current state of the WebSocket connection and the timing of ping/pong messages.

Status Update Delays

The health check reflects the current state of the WebSocket connection, but there may be a delay in status updates.

Delayed Status Updates

When connectivity is lost, it may take up to 2 minutes for the health check to report an "unhealthy" status, as the gateway attempts to reconnect. Similarly, when connectivity is restored, it may take up to 2 minutes for the health check to reflect a "healthy" status.

This latency is intentional and allows the gateway to attempt reconnection without immediately reporting failures for transient connectivity issues.

Security

The HTTP health check includes the following security features:

Authentication: When KEEPER_GATEWAY_HEALTH_CHECK_AUTH_TOKEN is set, requests must include the token in the Authorization header:
SSL/TLS: When SSL is enabled, all communication is encrypted. You must provide a valid certificate and private key.
Localhost binding: The server binds to localhost only by default, not exposing the endpoint over the network.

TLS Compatibility

The health check server is configured to support a wide range of clients by:

Using secure TLS defaults (TLS 1.2+ minimum) for maximum security
Supporting modern cipher suites for strong encryption
Automatically handling protocol negotiation for HTTP and HTTPS

For clients that support modern TLS versions, use standard curl commands:

Docker-Specific Configuration Requirements

When running Keeper Gateway inside Docker, special configuration may be required to expose the health check to the host or external systems:

Binding to 0.0.0.0

The health check server must bind to 0.0.0.0 to be reachable outside the container.
127.0.0.1 restricts access to within the container only.

SSL Enforcement

When using 0.0.0.0, Keeper Gateway forces SSL to protect health check data.
You must provide a valid certificate and key or the server will not start.

Authentication Requirement

If binding to 0.0.0.0, you must also specify an AUTH_TOKEN to secure the endpoint.

Docker Compose Example

Generate a Self-Signed Certificate

Test the Endpoint from the Host

Example Linux Configuration

Or using command line arguments:

Self-Signed SSL Certificates

For testing or internal use, you can generate self-signed certificates to enable SSL/TLS encryption:

Or using command line arguments:

When using self-signed certificates, your HTTP client will need to be configured to trust the certificate or ignore SSL verification (not recommended for production).

Monitoring Integration

This endpoint can be used with monitoring systems like:

Prometheus with blackbox exporter
Nagios/Icinga
Zabbix
Datadog

KeeperPAM and Secrets Manager

KeeperPAM

hashtagOverview

Privileged Access Manager

Setup Steps

hashtagSetup Steps

hashtagKeeper Enterprise license

hashtagActivate Privileged Access Manager

hashtagEnable PAM Policies

hashtagExisting Customers: Updating your Gateway

hashtagNew Customers: Create a new Gateway and Sandbox

hashtagExplore new features

hashtagNotes

hashtagFeedback

Quick Start: Sandbox

hashtagQuick Start Wizard

Getting Started

hashtagThe Basics

hashtagKeeperPAM Features

hashtagSecrets Manager Features

hashtagCommander CLI Features

hashtagEnterprise Password Manager

Architecture

hashtagOverview

Architecture Diagram

hashtagArchitecture Diagram

hashtagComponents

hashtagKeeper Gateway

hashtagKeeper Router

hashtagKeeper Relay

hashtagKeeper Backend API

hashtagScheduler

hashtagAdmin Console and Control Plane

hashtagClient Applications

hashtagData Flow

Vault Security

Connection and Tunnel Security

hashtagOverview

hashtag

Record Linking

hashtagOverview

hashtagConversion

Applications

hashtagWhat's an Application?

Devices

hashtagWhat's a Device?

Sharing Gateways

hashtagOverview

Alerts and SIEM Integration

hashtagOverview

hashtagFeatures

hashtagKeeperPAM Events

hashtagRecommended Alerts

hashtagIntegrations

Advanced Configuration

hashtagOverview

hashtagAdvanced Configurations

Password Rotation

hashtagOverview

Local Network

hashtagOverview

hashtagSetup Steps

hashtagUse Cases

Database

hashtagDatabases Supported

Azure Managed Database

Azure Client Secret Rotation

IAM User Access Key

Managed Database

hashtagOverview

hashtag

Cloud SQL Database User

hashtagOverview

hashtag

Advanced Configuration

hashtagOverview

hashtagAdvanced Configurations

Architecture Diagram

hashtagArchitecture Diagram

hashtagComponents

Overview

Setup Steps

Keeper Enterprise license

Activate Privileged Access Manager

Enable PAM Policies

Existing Customers: Updating your Gateway

New Customers: Create a new Gateway and Sandbox

Explore new features

Notes

Feedback

Quick Start Wizard

The Basics

KeeperPAM Features

Secrets Manager Features

Commander CLI Features

Enterprise Password Manager

Overview

Architecture Diagram

Components

Keeper Gateway

Keeper Router

Keeper Relay

Keeper Backend API

Scheduler

Admin Console and Control Plane

Client Applications

Data Flow

Overview

Overview

Conversion

What's an Application?

What's a Device?

Overview

Overview

Features

KeeperPAM Events

Recommended Alerts

Integrations

Overview

Advanced Configurations

Overview

Overview

Setup Steps

Use Cases

Databases Supported

Overview

Overview

Overview

Advanced Configurations

Architecture Diagram

Components

Keeper Gateway

Keeper Router

Keeper Relay

Keeper Backend API

Scheduler

Admin Console and Control Plane

Client Applications

Data Flow

Overview

Overview

Overview

Databases Supported

What is a Tunnel?

Connection and tunnel security

Apache Guacamole Usage

Cloud SQL for SQL Server:

Cloud SQL for PostgreSQL

Setup Steps

Keeper Enterprise license

Activate Privileged Access Manager

Enable PAM Policies

Existing Customers: Updating your Gateway

New Customers: Create a new Gateway and Sandbox

Explore new features

Notes

Feedback

Overview

Conversion

The Basics